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CLAIMS 

What is claimed is: 

1 . A method for effecting a chained key-issuing process over a finite group of points 
in which the discrete logarithm problem applies, wherein an issuing user (Useri), who possesses 
an issuing user public value (Ui) and an issuing user private key (xi), provides to a successor user 
(User(i+i)) a successor user public value (U(i+i)) and a successor user private key (x(i+i)), and 
where said issuing user, except for a Certifying Authority (CA), was a successor user in a 
preceding step in the chained key-issuing process, and where said Certifying Authority acts as the 
first issuing user in the chained key-issuing process, said method comprising the steps of: 

(a) permitting said Certifying Authority to select a generating group-point (G) 
whose exponentiations to various powers generate various group-points and a converting 
mathematical operation (H) which converts several input values into a scalar; 

(b) permitting said Certifying Authority to posses a Certifying Authority 
private key (xo); 

(c) permitting said Certifying Authority to posses a Certifying Authority 
public value (Uo), obtained by exponentiating said generating group-point to the power of said 
Certifying Authority private key (Uo = xo*G); 

(d) permitting said issuing user (Useri) to possess said generating group-point 
(G) and said converting mathematical operation (H) and the identification details (ID(i+l)) of said 
successor user; 

(e) permitting said issuing user (Useri) to possess an issuing user private key 
(xi), where, except for the case in which said issuing user is said Certifying Authority, said 
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issuing user private key was provided to said issuing user at a preceding stage in the chained key- 
issuing process (in which Useri acted as a successor user in respect to an issuing User(i-i)); 

(f) permitting said issuing user (Useri) to calculate said successor user public 
value (U(i+i)) and said successor user private key (x(i+i)) wherein: 

5 a successor user random value (k(i+i)) is generated and said successor user 

public value (U(i+i)) is calculated by exponentiating said generating group-point to the power of 
said successor user random value (U(i+i) = k(i+i)*G); 

a successor user representing value (H(ID(i+i),U(i+i))) is calculated by 
operating with said converting mathematical operation on said successor user identification 
10 details (ID(i+i)) and said successor user public value (U(i+1)); 

said successor user private key (x(i+i)) is calculated by multiplying said 
successor user representing value (H(ID(i+i),U(i+i))) by said successor user random value (k(i+i)) 
and adding said issuing user private key (xi) to the product obtained by said multiplication (x(i+i) 
= H(ID(i+i),U(i+i))*k(i+i) + xi) and reducing the result modulo the order of said generating group- 

15 point; and 

(g) permitting said issuing user (Useri) to submit said successor user public 
value (U(i+i)) and said successor user private key (x(B-i)) to said successor user (User(i+i)). 

2. A method for effecting a chained key-issuing process as recited in claim 1, where 
20 the issuing user (Useri) does not know the successor user private key (x(i+i)) 5 said method further 
comprising the steps of: 
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permitting said successor user (User(B-i)) to generate a first random value (m(i+i)) 
and calculate a first intermediate group-point (m(i+i)*G) by exponentiating the generating group- 
point to the power of said first random value; 

permitting said successor user to submit said first intermediate group-point 
5 (m(i+i)*G) to said issuing user (Useri); 

permitting said issuing user to calculate a successor user public value (U(i+i)) and 
a successor user intermediate private key (p(i+i)) ; wherein: 

a second random value (k(i+i)) is generated and a second intermediate 
group-point (k(i+i)*G) is calculated by exponentiating said generating group-point to the power 

10 of said second random value; 

said successor user public value (U(i+i)) is calculated by adding said first 
intermediate group-point and said second intermediate group-point (U(i+i)= m(i+i)*G + k(i+i)*G); 

a successor user representing value (H(ID(i+i),U(i+i))) is calculated in the 

way described; 

15 said successor user intermediate private key (p(i+i)) is calculated by 

multiplying said successor user representing value (H(ID(i+i),U(i+i))) by said second random 
value (k(i+l)) and adding the issuing user private key (xi) to the product obtained by said 
multiplication (p(i+i) = H(ID(i+i),U(i+i))*k(i+i) + xi) and reducing the result modulo the order of 

said generating group-point; and 
20 permitting said successor user to generate the successor user private key (x(i+i)) by 

calculating said successor user representing value (H(ID(i+i) ? U(i+i))) in the way described and 
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multiplying said successor user representing value by said first random value (m(i+i)) and adding 
said successor user intermediate private key (p(i+i)) to the product obtained by said multiplication 
( x(i+1) = H(ID(i+i),U(i+l))*m(i+i) + p(i+i)) and reducing the result modulo the order of said 

generating group-point. 

5 

3. A certificate generation system for permitting a generating user who is a successor 
user (User(i+1)) to issue a certificate to a general user (User(i+2)) where said certificate attests to 
the association between said general user public key (Y(i+2)) and said general user identification 
details (ID(i+2)), where said general user public key was issued to said general user according to 
10 any known public key cryptographic method, wherein an issuing user (Useri), who possesses an 
issuing user public value (Ui) and an issuing user private key (xi), provides to a successor user 
(User(i+i)) a successor user public value (U(i+i)) and a successor user private key (x(i+i)) ? and 
where said issuing user, except for a Certifying Authority (CA), was a successor user in a 
preceding step in the chained key-issuing process, and where said Certifying Authority acts as the 
1 5 first issuing user in the chained key-issuing process, said system comprising: 

means for permitting said generating user to generate a first random scalar (k(i+2)); 
means for permitting said generating user to calculate a first part of a certificate 
(T(i+2)) by exponentiating the generating group-point to the power of said first random scalar 
(T(i+2) = k(i+2)*G); 

20 means for permitting said generating user to calculate a general user representing 

value (H(ID(i+2),Y(i+2) ? T(i+2))) by operating with the converting mathematical operation on said 
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general user identification details (ID(i+2)) and said general user public key (Y(i+2)) and said first 
part of a certificate (T(i+2)); 

means for permitting said generating user to calculate a second part of a certificate 
(s(i+2)) by multiplying said general user representing value by said first random scalar (k(i+2)) and 
5 adding the private key (x(i+i)) of said generating user to the product obtained by said 
multiplication (s(i+2) - H(ID(i+2) ? Y(i+2) ? T(i+2))*k(i+2) + x(i+i)) and reducing the result modulo the 

order of said generating group-point; and 

means for permitting said generating user to submit said certificate to said general 
user, said certificate comprising of said first part of a certificate (T(i+2)) and said second part of a 
10 certificate (s(i+2)). 

4. A chained certificate verification system for permitting a verifying user to verify 
the authenticity of a certificate (T(i+2) and s(i+2)) issued to a general user (User(i+2)) where said 
certificate attests to the association between said general user public key (Y(i+2)) and said general 

15 user identification details (ID(i+2)), where said general user public key was issued to said general 
user according to any known public key cryptographic method, the system comprising: 

means for providing said verifying user with said certificate and with the general 
user public key (Y(i+2)) and with the general user identification details (ID(i+2)) and with the 
Certifying Authority public value (Uo) and with a plurality of pairs of values (IDj and Uj) 

20 consisting of the identification details and public values of all users (Userj, j = 1, 2,..., i+1)) in 
the chained key-issuing process over a finite group of points in which the discrete logarithm 
problem applies, wherein an issuing user (Useri), who possesses an issuing user public value (Ui) 
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and an issuing user private key (xi), provides to a successor user (User(i+i)) a successor user 
public value (U(i+i)) and a successor user private key (x(i+i)), and where said issuing user, except 
for a Certifying Authority (CA), was a successor user in a preceding step in the chained key- 
issuing process, and where said Certifying Authority acts as the first issuing user in the chained 
5 key-issuing process, starting with the first successor user (Useri) after the Certifying Authority 
and ending with the successor user (User(i+l)); 

means for permitting said verifying user to verify the validity of said certificate, 

wherein: 

a first scalar (H(ID(i+2),Y(i+2),T(i+2))) is calculated by operating with the 
10 converting mathematical operation on said general user identification details (ID(i+2)) and said 
general user public key (Y(i+2)) and the first part of said certificate (T(i+2)); 

a first intermediate group-point (H(ID(i+2),Y(i+2) ? T(i+2))*T(i+2)) is 

calculated by exponentiating said first part of the certificate (T(i+2)) to the power of said first 
scalar; 

15 users representing values (H(IDj,Uj), j - 1, 2,..., i+1) are calculated by 

operating with said converting mathematical operation on each pair of said plurality of pairs of 
values (IDj and Uj); 

users temporary group-points (H(IDj,Uj)*Uj, j = 1, 2,..., i+1) are 
calculated for each user in said chained key-issuing process, starting with said first successor user 
20 (Useri) and ending with said generating user (User(i+i)), by exponentiating each said user public 
value (Uj) to the power of said user representing value (H(IDj,Uj)); 
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a second intermediate group-point (P) is calculated by adding all said users 
temporary group-points (P = H(ID(i+i),U(i+i))*U(H-i) + H(IDi,Ui)*Ui + H(ID(i-i),U(i-i))*U(i-i) + 

... + H(IDi,Ui)*Ui); 

a third intermediate group-point (Q) is calculated by adding said first 
5 intermediate group-point and said second intermediate group-point and the public value of said 
Certifying Authority (Q = H(ID(i+2),Y(i+2),T(i+2))*T(i+2) + P + Uo); 

a fourth intermediate group-point (s(i+2)*G) is calculated by 
exponentiating the generating group-point to the power of the first part (s(i+2)) of said certificate; 

the value of said fourth intermediate group-point (s(i+2)*G) is compared to 
10 that of said third intermediate group-point (Q) and the certificate is determined as being valid in 
the case of equality. 

5. A chained signature generation and verification system for permitting a successor 
user (User(i+i)) to generate a signature and permitting a verifying party to verify said signature, 

15 wherein an issuing user (Useri), who possesses an issuing user public value (Ui) and an issuing 
user private key (xi), provides to a successor user (User(i+i)) a successor user public value (U(i+i)) 
and a successor user private key (x(i+i)), and where said issuing user, except for a Certifying 
Authority (CA), was a successor user in a preceding step in a chained key-issuing process, and 
where said Certifying Authority acts as the first issuing user in the chained key-issuing process, 

20 the system comprising: 
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means for permitting said successor user (User(i+i)) to generate a signature on a 
message (m) wherein: 

a first scalar (k) is randomly generated; 

a first part of a signature (T) is generated by exponentiating the generating 
5 group-point to the power of said first scalar (T = k*G); 

a representing value (H(m,T)) is generated by operating with the 
converting mathematical operation on said message (m) and said first part of a signature (T); 

a second part of a signature (s) is calculated by multiplying said 
representing value (H(m,T)) by said first scalar (k) and adding the private key of said successor 
10 user (x(i+i)) to the product obtained by said multiplication (s = H(m,T)*k + x(i+i)) and reducing 

the result modulo the order of said generating group-point; 

means for permitting said successor user to submit said message (m) and said 
signature (T and s) to said verifying party, said signature comprising of said first part of a 
signature (T) and said second part of a signature (s); 

15 means for providing said verifying party with the Certifying Authority public 

value (Uo) and with a plurality of pairs of values (IDj and Uj) consisting of the identification 
details and public values (IDj and Uj) of all users (Userj, j = 1, 2,..., i+1)) in the chained key- 
issuing process, starting with the first successor user (Useri) after the Certifying Authority and 
ending with said successor user (User(i+i)); 

20 means for permitting said verifying party to verify the validity of said signature (T 

and s) on said message (m), wherein: 
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said representing value (H(m,T)) is generated in the way described; 

a first intermediate group-point (H(m,T)*T) is calculated by 

exponentiating said first part of the signature (T) to the power of said representing value; 

users representing values (H(IDj,Uj), j = 1, 2,..., i+1) are calculated by 
5 operating with said converting mathematical operation on each pair of said plurality of pairs of 
values (IDj and Uj); 

users temporary group-points (H(IDj,Uj)*Uj, j = 1, 2,..., i+1) are 
calculated for each user in said chained key-issuing process, starting with said first successor user 
(Useri) and ending with said successor user (User(i+i)), by exponentiating each said user public 
10 value (Uj) to the power of said user representing value (H(IDj,Uj)); 

a second intermediate group-point (P) is calculated by adding all said 
temporary group-points (P = H(ID(i+i) ? U(i+i))*U(i+i) + H(IDiJJi)*Ui + H(ID(i-i) ? U(i-i))*U(i-i) + 

...+H(TOi,Ui)*Ui); 

a third intermediate group-point (Q) is calculated by adding said first 
15 intermediate group-point and said second intermediate group-point and the public value of said 
Certifying Authority (Q = H(m ? T)*T + P + Uo); 

a fourth intermediate group-point (s*G) is calculated by exponentiating the 

generating group-point to the power of the first part (s) of said signature; 

the value of said fourth intermediate group-point (s*G) is compared to that 

20 of said third intermediate group-point (Q) and the signature is determined as being valid in the 
case of equality. 
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6. A chained signature generation and verification system as recited by claim 5, 
wherein the chained-key issuing process comprises the steps of: 

(a) permitting said Certifying Authority to select a generating group-point (G) 
5 whose exponentiations to various powers generate various group-points and a converting 

mathematical operation (H) which converts several input values into a scalar; 

(b) permitting said Certifying Authority to posses a Certifying Authority 
private key (xo); 

(c) permitting said Certifying Authority to posses a Certifying Authority 
10 public value (Uo), obtained by exponentiating said generating group-point to the power of said 

Certifying Authority private key (Uo = xo*G); 

(d) permitting said issuing user (Useri) to possess said generating group-point 
(G) and said converting mathematical operation (H) and the identification details (ED(i+i)) of said 
successor user; 

15 (e) permitting said issuing user (Useri) to possess an issuing user private key 

(xi), where, except for the case in which said issuing user is said Certifying Authority, said 
issuing user private key was provided to said issuing user at a preceding stage in the chained key- 
issuing process (in which Useri acted as a successor user in respect to an issuing User(i-i)); 

(f) permitting said issuing user (Useri) to calculate said successor user public 

20 value (U(i+i)) and said successor user private key (x(i+i)) wherein: 



1095753vl 



26 

a successor user random value (k(i+i)) is generated and said successor user 
public value (U(i+i)) is calculated by exponentiating said generating group-point to the power of 
said successor user random value (U(i+l) = k(i+i)*G); 

a successor user representing value (H(ID(i+i),U(i+i))) is calculated by 
5 operating with said converting mathematical operation on said successor user identification 
details (ID(i+i)) and said successor user public value (U(i+i)); 

said successor user private key (x(i+i)) is calculated by multiplying said 
successor user representing value (H(ID(i+i),U(i+i))) by said successor user random value (k(i+i)) 
and adding said issuing user private key (xi) to the product obtained by said multiplication (x(i+i) 
10 = H(ID(i+i),U(i+i))*k(i+i) + xi) and reducing the result modulo the order of said generating group- 
point; and 

(g) permitting said issuing user (Useri) to submit said successor user public 
value (U(i+i)) and said successor user private key (x(i+i)) to said successor user (User(i+i)). 

15 7. A certificate generation system as recited by claim 3, wherein the successor user 

(User(i+i)) is defined according to a method comprising the steps of: 

permitting said successor user (User(i+i)) to generate a first random value (m(i+i)) 
and calculate a first intermediate group-point (m(i+i)*G) by exponentiating the generating group- 
point to the power of said first random value; 

20 permitting said successor user to submit said first intermediate group-point 

(m(i+i)*G) to said issuing user (Useri); 
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permitting said issuing user to calculate a successor user public value (U(i+i)) and 
a successor user intermediate private key (p(i+i)) ? wherein: 

a second random value (k(i+i)) is generated and a second intermediate 
group-point (k(i+i)*G) is calculated by exponentiating said generating group-point to the power 

5 of said second random value; 

said successor user public value (U(i+i)) is calculated by adding said first 
intermediate group-point and said second intermediate group-point (U(i+i)= m(i+i)*G + k(i+i)*G); 

a successor user representing value (H(ID(i+i),U(i+i))) is calculated in the 

way described; 

10 said successor user intermediate private key (p(i+i)) is calculated by 

multiplying said successor user representing value (H(ID(i+i),U(i+i))) by said second random 
value (k(i+i)) and adding the issuing user private key (xi) to the product obtained by said 
multiplication (p(i+i) = H(ID(i+i) 5 U(i+i))*k(i+i) + xi) and reducing the result modulo the order of 

said generating group-point; and 

1 5 permitting said successor user to generate the successor user private key (x(i+i)) by 

calculating said successor user representing value (H(ID(i+i),U(i+i))) in the way described and 
multiplying said successor user representing value by said first random value (m(i+i)) and adding 
said successor user intermediate private key (p(i+i)) to the product obtained by said multiplication 
(x(i+i) = H(ID(i+i),U(i+i))*m(i+i) + p(i+i)) and reducing the result modulo the order of said 

20 generating group-point. 
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8. A chained certificate verification system as recited by claim 4, wherein the 
chained key-issuing process is defined according to a method comprising the steps of: 

permitting said successor user (User(i+i)) to generate a first random value (m(i+i)) 
5 and calculate a first intermediate group-point (m(i+i)*G) by exponentiating the generating group- 
point to the power of said first random value; 

permitting said successor user to submit said first intermediate group-point 
(m(i+i)*G) to said issuing user (Useri); 

permitting said issuing user to calculate a successor user public value (U(i+i)) and 
1 0 a successor user intermediate private key (p(i+i))> wherein: 

a second random value (k(i+i)) is generated and a second intermediate 
group-point (k(i+l)*G) is calculated by exponentiating said generating group-point to the power 

of said second random value; 

said successor user public value (U(i+i)) is calculated by adding said first 
1 5 intermediate group-point and said second intermediate group-point (U(i+l)= m(i+l)*G + k(i+i)*G); 

a successor user representing value (H(ID(i+i),U(i+i))) is calculated in the 

way described; 

said successor user intermediate private key (p(i+i)) is calculated by 
multiplying said successor user representing value (H(ID(i+i) ? U(i+i))) by said second random 
20 value (k(i+i)) and adding the issuing user private key (xi) to the product obtained by said 
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multiplication (p(i+i) = H(ID(i+i) ? U(i+i))*k(i+i) + xi) and reducing the result modulo the order of 

said generating group-point; and 

permitting said successor user to generate the successor user private key (x(i+i)) by 
calculating said successor user representing value (H(ID(i+i) ? U(i+i))) in the way described and 
5 multiplying said successor user representing value by said first random value (m(i+i)) and adding 
said successor user intermediate private key (p(i+i)) to the product obtained by said multiplication 
(x(i+i) = H(ID(i+i),U(i+i))*m(i+i) + p(i+i)) and reducing the result modulo the order of said 
generating group-point. 

10 8. A chained signature generation and verification system as recited by claim 5, 

wherein the successor user (User(i+i)) is defined according to a method comprising the steps of: 

permitting said successor user (User(i+i)) to generate a first random value (m(i+i)) 
and calculate a first intermediate group-point (m(i+i)*G) by exponentiating the generating group- 
point to the power of said first random value; 
15 permitting said successor user to submit said first intermediate group-point 

(m(i+i)*G) to said issuing user (Useri); 

permitting said issuing user to calculate a successor user public value (U(i+i)) and 
a successor user intermediate private key (p(i+i)), wherein: 

a second random value (k(i+i)) is generated and a second intermediate 
20 group-point (k(i+i)*G) is calculated by exponentiating said generating group-point to the power 
of said second random value; 
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said successor user public value (U(i+l)) is calculated by adding said first 
intermediate group-point and said second intermediate group-point (U(i+1)= m(i+i)*G + k(i+i)*G); 

a successor user representing value (H(ID(i+i),U(i+i))) is calculated in the 

way described; 

5 said successor user intermediate private key (p(i+i)) is calculated by 

multiplying said successor user representing value (H(ID(i+i),U(i+i))) by said second random 
value (k(i+i)) and adding the issuing user private key (xi) to the product obtained by said 
multiplication (p(i+i) = H(E)(i+i) 5 U(i+i))*k(i+i) + xi) and reducing the result modulo the order of 

said generating group-point; and 

10 permitting said successor user to generate the successor user private key (x(i+l)) by 

calculating said successor user representing value (H(ID(i+i),U(i+i))) in the way described and 
multiplying said successor user representing value by said first random value (m(i+i)) and adding 
said successor user intermediate private key (p(i+i)) to the product obtained by said multiplication 
(x(i+i) = H(ED(i+i) ? U(i+i))*m(i+i) + p(i+i)) and reducing the result modulo the order of said 

1 5 generating group-point. 
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